From my observation there are not necessarily 'deep' thoughts here. The statements all make sense, to the point that it seems like stating the obvious. The value is in that the thought have been persisted, collected and present in a clean and concise way. This means that in our haste to get a product out the door, we can walk through a relatively simple list to verify we didn't miss something obvious.

A good idea. I hope it continues to have contributions and a community is built around this.

Monday, November 27, 2006

Logparser can be your good friend if you have a large set of data (text form or otherwise) and you would like to summarize it. It can be used to analyze Microsoft’s Internet Information Server (IIS) logfiles, text based logfiles, XML files, Eventviewer data, Registry, Active Directory Objects, CSVs and more (see all the input formats at the end of blog entry).

The below is my documenting a howto use logparser with a number of examples. Most of the examples of IIS log parsing were not developed by me, rather there is a MS team that can be employed to do an IIS health check, these were the logparser SQLs they used.

Logparser to start

I recommend become familiar with:logparser -hIn all truth all my needs have been answered in the command-line help. I may have googling for a solution, but the problem was solvable with careful reading.Logparser and IIS logs.

Logpaser automatically reads the IIS header. In fact, I highly suspect that the reason for the tool’s existence began with the need to analyze IIS logs - the history and lore, I have not taken that much time to learn. I'll let you correct me?

Queries (examples):updated March 2007 to add reverse DNS lookup, Referer URLs (sic), and Referer Summary (sic).• Merge Multiple Log filesTo consolidate log files into a single file.logparser -o:IIS "select * into merged.log from ex*.log"• A count of the Total Requestslogparser "select count(*) into IISLOG_TOTAL_REQ.csv from ex061023.log"• How many unique clientslogparser "select count(distinct c-ip) into IISLOG_DISTINCT_CLIENTS.csv from ex061023.log"• Top 20 URLs Hitlogparser "SELECT TOP 20 cs-uri-stem, COUNT(*) AS Hits INTO Analysis.csv from ex061023.log group by cs-uri-stem order by Hits DESC"• Top 20 ASP pages Hitlogparser "SELECT TOP 20 cs-uri-stem, COUNT(*) AS Hits INTO Analysis.csv from ex061023.log where cs-uri-stem like '%%.asp' group by cs-uri-stem order by Hits DESC"• Hit Frequency (how many hits per hour)logparser "SELECT TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)), COUNT(*) AS Hit_Frequency INTO IISLOG_ANALYSIS_HIT_FREQ.CSV FROM ex061023.log GROUP BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ORDER BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ASC"• Bytes per ExtensionWhat is the percentage of the bytes served per extension-type?logparser "SELECT EXTRACT_EXTENSION(cs-uri-stem) AS Extension, MUL(PROPSUM(sc-bytes),100.0) AS PercentOfTotalBytes INTO IISLOG_ANALYSIS_BYTES_PER_EXT.CSV FROM ex061023.log GROUP BY Extension ORDER BY PercentOfTotalBytes DESC"• Top 20 Clients Hitting this serverlogparser "SELECT top 20 c-ip AS Client_IP,count(c-ip) AS PageCount from ex061023.log to IISLOG_ANALYSIS_TOP20_CLIENT_IP.CSV GROUP BY c-ip ORDER BY count(c-ip) DESC"• REVERSEDNS of Top 20 Clients Hitting this server (reversedns(...) is a long running function for obvious reasons)logparser "SELECT top 20 c-ip AS Client_IP, REVERSEDNS(c-ip),count(c-ip) AS PageCount from ex061023.log to IISLOG_ANALYSIS_TOP20_CLIENT_IP_WITH_DNS.CSV GROUP BY c-ip ORDER BY count(c-ip) DESC"• Referrer Host Names directing traffic to this server with count of pages referred (summary)logparser "SELECT ReferringHost, count(*) AS TotalReferrals, Min(cs(Referer)) AS ExampleRefererURL USING CASE EXTRACT_TOKEN(cs(Referer),2, '/') WHEN null THEN 'NoReferer' ELSE EXTRACT_TOKEN(cs(Referer),2, '/') END as ReferringHost into IISLOG_ANALYSIS_REFERER_HOSTS.CSV FROM ex061023.log group by ReferringHost order by count(*) DESC"• Referrer URLs directing traffic to this server (full report)logparser "SELECT EXTRACT_TOKEN(cs(Referer),2, '/') as RefererHostName, cs(Referer) AS RefererURL, count(cs(Referer)) AS TotalReferrals into IISLOG_ANALYSIS_REFERERURLs.CSV FROM ex061023.log group by cs(Referer) order by count(cs(Referer)) DESC" • Unique Clients per HourThis is two separate SQLs.1. logparser -o:CSV "Select TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) as Times, c-ip as ClientIP into IISLOG_ANALYSIS_DIST_CLIENT_IP.LOG from ex061023.log group by Times, ClientIP"2. logparser -i:CSV "Select Times, count(*) as Count from IISLOG_ANALYSIS_DIST_CLIENT_IP.LOG to IISLOG_ANALYSIS_HOURLY_UNIQUE_CIP.CSV group by Times order by Times ASC"• IIS Errors and URL Stem (Error code > 400)logparser "SELECT cs-uri-stem, sc-status,sc-win32-status,COUNT(cs-uri-stem) from ex061023.log to IISLOG_ANALYSIS_ERROR_COUNT.CSV where sc-status>=400 GROUP BY cs-uri-stem,sc-status,sc-win32-status ORDER BY COUNT(cs-uri-stem) DESC"• IIS Errors by hour (Error code > 500)Can answer if the errors are load relatedlogparser "SELECT TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)), COUNT(*) AS Error_Frequency FROM ex061023.log TO IISLOG_ANALYSIS_ERROR_FREQ.CSV WHERE sc-status >= 500 GROUP BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ORDER BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ASC"• Status Code distributionlogparser "SELECT sc-status, COUNT(*) AS Times from ex061023.log to IISLOG_ANALYSIS_STATUS_CODE.CSV GROUP BY sc-status ORDER BY Times DESC"• Top 20 Longest time-taken (on average) pageslogparser "SELECT top 20 cs-uri-stem,count(cs-uri-stem) As Count,avg(sc-bytes) as sc-bytes,max(time-taken) as Max,min(time-taken) as Min,avg(time-taken) as Avg from ex061023.log to IISLOG_ANALYSIS_TOP20_AVG_LONGEST.CSV GROUP BY cs-uri-stem ORDER BY avg(time-taken) DESC"• Top 50 longest requestslogparser "SELECT top 50 TO_LOWERCASE(cs-uri-stem),time,sc-bytes,time-taken INTO IISLOG_ANALYSIS_TOP50_LONGEST.CSV FROM ex061023.log ORDER BY time-taken DESC"• Average Response time by Hourlogparser "SELECT TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)), avg(time-taken) INTO IISLOG_ANALYSIS_AVG_RESP_TIME.CSV FROM ex061023.log WHERE cs-uri-stem like '%%.asp' GROUP BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ORDER BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ASC"• Percentage Processing time by extensionlogparser "SELECT EXTRACT_EXTENSION(cs-uri-stem) AS Extension, MUL(PROPSUM(time-taken),100.0) AS Processing_Time INTO IISLOG_ANALYSIS_PROCTIME_PER_EXT.CSV FROM ex061023.log GROUP BY Extension ORDER BY Processing_Time DESC"

As an added bonus, I’ve created a small cmd (windows) shell script that runs thru all (but the first) of these queries below against a log file. It is located at the following linkdownload itNote it requires logparser on the path and has a commandline invocation of:logparseranalysis.cmd ex061023.log

Logparser and creating separate SQL files (the file: argument)

You may have noticed that these SQLs can get a long, as is the way with SQL. Logparser provides the means to create a text file with these long sqls in it. Additionally the ability to pass arguments is of course a given. Next, an example is in order. To use the commandline below you will need to create a little text file (extension sql) with the contents of the below.

Command Line:logparser file:iis.sql?logfile=ex061113.log

Text file: iis.sql-- Start of SQL file --SELECT c-ip AS ClientIP, cs-host AS HostName, cs-uri-stem AS URIStem, sc-status AS Status, cs(User-Agent) AS UserAgent, count (*) as RequestsINTO output.csvFROM %logfile%where time > to_timestamp('18:20:00', 'hh:mm:ss') and time < to_timestamp('18:45:00', 'hh:mm:ss') GROUP BY c-ip, cs-uri-stem, cs-host, cs(User-Agent), sc-status ORDER BY Requests DESC-- End of SQL file -- Logparser and the files without headersDon’t have a header in your csv file? With a little work we can define a logparser SQL that will map the empty fields to names with meaning. The automatic header row parsing will need to be turned off.Command Line:logparser -i:csv -headerRow:OFF file:dslog.sql?logfile=logwoutheader.log+outputfile=out.csvText file: log.sql-- Start of SQL file -- select To_TimeStamp(MyDate, MyTime) as DateTime, field3 as MachineNane, field4 as PID, field5 as TID, To_Int(field6) as ErrorLevel, field7 as RegExp, field8 as Line, field9 as SID, field12 as Message using TO_TIMESTAMP(field1,'MM/dd/yyyy') as MyDate, TO_TIMESTAMP(field2, 'hh:mm:ss.lx') as MyTime into %OUTPUTFILE% from %LOGFILE% where ErrorLevel >= 35-- End of SQL file --

Logparser and the eventviewerAlthough already covered in a previous article, logparser can also connect to eventviewer and analyze those logs. It can even do this on remote machines. The below SQL is an example on how to detect locked out accounts.

Logparser 2.2 Input formats:• IISW3C: This is the IIS W3C Extended log file format.• IIS: This is the IIS log file format.• IISMSID: This is the log format for files generated by IIS when the MSIDFILT filter or the CLOGFILT filter is installed.• NCSA: This is the IIS NCSA Common log file format.• ODBC: This is the IIS ODBC format, which sends log files to an ODBC-compliant database.• BIN: This is the IIS binary log file format.• URLSCAN: This is the format for URLScan logs.• HTTPERR: This is the IIS 6.0 HTTP error log file format.• EVT: This is the Microsoft Windows Event Messages format.• TEXTWORD: This is a generic text file, where the TEXT value is any separate word.• TEXTLINE: This is a generic text file, where the TEXT value is any separate line.• CSV: This is a comma-separated list of values.• W3C: This is a generic W3C log file, such as a log generated by Windows Media Services or Personal Firewall.• FS: This provides information about file and directory properties.• XML: Reads XML files (requires the Microsoft® XML Parser (MSXML)) •• TSV: Reads tab- and space- separated values text files• •ADS: Reads information from Active Directory objects• REG: Reads information from the Windows Registry• NETMON: Makes it possible to parse NetMon .cap capture files• ETW: Reads Event Tracing for Windows log files and live sessionsLogparser 2.2 Output formats:• W3C: This format sends results to a text file that contains headers and values that are separated by spaces.• IIS: This format sends results to a text file with values separated by commas and spaces.• SQL: This format sends results to a SQL table.• CSV: This format sends results to a text file. Values are separated by commas and optional tab spaces.• XML: This format sends results to an XML-formatted text file.• Template: This format sends results to a text file formatted according to a user-specified template.• Native: This format is intended for viewing results on screen.• CHART: Creates chart image files (requires Microsoft Office 2000 or later)• TSV: Writes tab- and space- separated values text files• SYSLOG: Sends information to a SYSLOG server or to a SYSLOG-formatted text file

Wednesday, November 15, 2006

This one is a pet peeves of Paul, I admit that sometime Rich Text is really a good thing. In our world of Windows Rich Text, there are times when I want to paste rich text and many more times I want to paste Text-only. My wife actually influenced me into realizing the need is great enough to research it. I've used the Paste Special command for a long time, but have been troubled by the lack of a short-cut key to it.

This article (link below) is a great howto create a macro to a shortcut key for MS Word. Which these days (Office 2003) translates directly to our Outlook 2003 Email Client. If you create this macro in Word, you can use it in composing your Outlook emails.

The next extension would be to create a Windows wide Paste Special shortcut key. Sure, I'll add it to my project list ;)

Update: I won't yet bother with the Windows Wide implementation. It is done:PureText - http://stevemiller.net/PureText/, a quick trial seems to suggest it works well.

A quote from the web-page: Have you ever copied some text from a web page or a document and then wanted to paste it as simple text into another application without getting all the formatting from the original source? PureText makes this simple by adding a new Windows hot-key (default is WINDOWS+V) that allows you to paste text to any application without formatting.

After running PureText.exe, you will see a "PT" tray icon appear near the clock on your task bar. You can click on this icon to remove formatting from the text that is currently on the clipboard. You can right-click on the icon to display a menu with more options.

The introduction, a copy-paste from the above site, and the sample program to run through your compiler is below.

Introduction

You would think that the basic integer types provided by the C and C++ languages wouldn't cause an much confusion as they do. Almost every day there are posts in the C and C++ newsgroups which show that many newcomers do not understand them. Some experienced programmers who are only familiar with one platform do not understand them either.

The most common source of confusion are the sizes of the integer types, and the range of values which they can hold. That is because the languages leave many features of the integer types implementation-defined, meaning that it is up to the particular compiler to determine their exact specifications. C and C++ do set minimum requirements for each of the integer types, but the compiler is free to exceed these limits.

Each compiler is required to document its implementation. This information should be available in the printed manuals, online help, or man pages which come with the compiler.

In addition, there is a required standard header named &ltlimits.h> (&ltclimits> in newer C++ compilers) that provides information about the integer types that can be used in your programs at run time. A compiler is not required to provide a header like &ltlimits.h> as a readable text file, but I do not know of any compilers which do not.

There are programs on this page to display the information that this file contains.

Sunday, November 12, 2006

While exploring the internet trying to figure out a trivial little problem, I discovered a tool that the w3.org has provided to any and all users on the internet that I forgot about. It can validate a multitude of DOCTYPE from XHTML 1.0 to SVG 1.1 and several flavors in between.

A quote from the validator's FAQ:"Most pages on the World Wide Web are written in computer languages (such as HTML) that allow Web authors to structure text, add multimedia content, and specify what appearance, or style, the result should have.

As for every language, these have their own grammar, vocabulary and syntax, and every document written with these computer languages are supposed to follow these rules. The (X)HTML languages, for all versions up to XHTML 1.1, are using machine-readable grammars called DTDs, a mechanism inherited from SGML.

However, Just as texts in a natural language can include spelling or grammar errors, documents using Markup languages may (for various reasons) not be following these rules. The process of verifying whether a document actually follows the rules for the language(s) it uses is called validation, and the tool used for that is a validator. A document that passes this process with success is called valid.

With these concepts in mind, we can define "markup validation" as the process of checking a Web document against the grammar (generally a DTD) it claims to be using."

This reminds me, I should remember to throw pages I publish through this tool. I expect it to be more pedantic than a web browser, but that is a good thing. I see a few things that I need to fix up on a could of my sites right now.

Thursday, November 09, 2006

This is a special request HOWTO on Transcoding. There is a soul out on the internet that wants to be able to convert Flash video (FLV) to AVI, MPEG (MPG), or WMV. For those of us out there that don't know this is called Transcoding. This is simply a matter of decoding the video to and an intermediate form and encoding the video to the chosen format.

Monday, November 06, 2006

Not that this is very technical, but yesterday I found a good site for sharing and getting wallpaper/desktop backgrounds.

InterfaceLIFT's content is entirely vistor-submitted and is intended to be shared. They do a great job of search and provided a multitude of resolutions from 1024x768 to 2560X1600 as well as a number of other formats (ipod/sony psp).

My search for "Seattle" returned several of great photos of the city. Another search for "Vancouver" returned even more.

I never thought to try this, but the multiple rename is built in to Windows. It is simple enough. (1) Select multiple files. (2) Rename one of them. (3) The others will be renamed and have a sequence of numbers appended to the end of the file name. It is a little more verbose at the below link.

After the invent of Google's Webmaster tools there appeared the Yahoo Site Manager. I suspect that MSN is going to be next in that space. It is in these tools that the user gets the ability to configure some of the high level details for search engine optimization.

For those of you that are casual interested in increasing your page ranks/positions, this would be these would be the places to go.

At this point in time, the primary functionality these appear to provide is the ability to submit Sitemap feeds to the search engine. Allowing for two methods of listing sites for these search engines, (one) the crawler/bot and (two) the submission of URLs.

Wednesday, November 01, 2006

I've been in a number of organizations where the mystery of who, what, where, when and how an account got locked out is umm, a mystery. This is because the regular login/logout data and other authentication data is bundled in with the 1 or 10 errors per day. The truth is obfuscated by too much data. The biggest problem always appears to be with service accounts, with a number of dependencies on an account.

It turns out it can be relatively simple to right a MS logparser query to hunt out this information. AKA, logparser is your best friend. The second think to note is EventID 644 indicates the event that is written when an account is locked out. The rest is really the details.

Create a file by the name of lockedaccounts.sql at the same directory as your logparser.exe (or add the folder that holds logparser.exe to the path).file contents:SELECT timegenerated AS TimeLockedout,extract_token(strings, 0, '|') As UserName ,extract_token(strings, 1, '|') AS OriginatingMachine,EventID,SourceName,Message,CASE EventIDWHEN 529 THEN 'Invalid userid/password'WHEN 531 Then 'Account disabled out'WHEN 539 Then 'Account locked out'WHEN 530 Then 'Outside of logon time'WHEN 532 THEN 'Account Expired'WHEN 535 THEN 'Password Expired'WHEN 533 THEN 'User not from allowed system'WHEN 644 THEN 'Account Auto Locked'WHEN 540 THEN 'Successful logon'ELSE 'Not specified' END AS EventDesc,stringsINTO lockedact.csvFROM \\%DOMAINCONTROLER%\SecurityWHERE EventID=644

run the following command: (it has a 90 second run time on ~500,000 remote eventviewer records)C:\>logparser file:lockedaccounts.sql?DOMAINCONTROLER=ADOMAINCONTROLER

Open the lockedact.csv file in Excel. Hunt out the account you want to analyze. The Column ‘OriginatingMachine’ is the machine that locked out the account. The other columns are there for info only. Note that EventID 644 is the one you are interested in (http://www.ultimatewindowssecurity.com/events/com264.htm ).

This is my little documentation area of regexps that I create when I need to convert one for of text to another. Being in Windows, I've taken to simply using the Visual Studios regexp Find and Replace.

My plan is to update this entry as do other regexps in my day to day work life.

First off feel free to check the Use: Regular Expression button in the Find and Replace Dialog

About this Blog

In truth this is my personal documentation area where I hope to save myself time by documenting my home projects, work projects. I also hope to be able to provide others with a simple HOWTO guides, FAQs and other tidbits.